Welcome to my information security blog. I hope the information I publish and comments I provide can offer some insight, for better or worse, into current industry trends, technologies, and innovations.
One of the purposes for this blog is to encourage creative and constructive dialogue, so feel free to comment. If you do, please provide your name.
If you have any feedback or would like to contact me offline, don't hesitate to email me: mike[@]cloppert[.]org

2008-04-22

Email Authentication Frameworks: Truthiness

A few weeks ago, my boss asked for my opinion on an article by Dan Kaplan of SC Magazine titled Keeping A Secret, published 3/9/2008 (yes, awhile ago). The article discusses the larger problem of authenticating email senders, and specifically the TSCP (Transglobal Secure Collaboration Program) framework. It was a great opportunity to step back and contemplate the fundamental concerns and drawbacks of authenticating email. I'm sharing my sanitized thoughts here for the consumption of others, as I think these issues are shared amongst security practitioners everywhere - whether it's called TSCP, TEOS [pdf] (Microsoft's Trusted Email "Open" Standard), or something else.

First, a brief bit about TSCP. From their website, TSCP "engenders a common framework for secure collaboration and sharing of sensitive information in international defence and aerospace programs." It is a partnership, not so much an organization or industry trade group. The group has released secure email specifications [pdf] designed to help address the identity management problems inherent in email, somewhat as an implementation of Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors.

Enough boring govvie crap, though, let's get on to an analysis of the article and some critical thinking about the claims of the proponents of this and other related systems.

The two sources Kaplan uses to set the tone of this article are Northrop Grumman's Keith Ward, who frames the problem of email authentication, and Amit Yoran (NetWitness CEO & former Bush administration cybersecurity chief), who acts as a professional opinion source on TSCP. Keith does a good job of boiling down the problem we face with targeted, forged emails, and to a certain extent how they've impacted the DoD and its contractors. However, the extent to which TSCP - and indeed any email authentication framework - addresses this problem is greatly exaggerated by Yoran. He even claims the standard "helps remove entire categories of problems that plague us like spear phishing." This is simply not true. The article goes on to cheerlead TSCP as addressing everything from green initiatives to terrorism - weak claims that are clearly hyperbole.

TSCP will provide a higher level of confidence in recipients that the sender of an email from a participating member is authentic. The meat of the article really focuses around Yoran's quote above; however, there are two fundamental problems with the assertion that an email authentication framework (let's assume TSCP is flawlessly implemented) will solve whole categories of problems like spear phishing:

1 It is inconceivable that there will be any situation where all email correspondence for an account holder will be subject to this framework. Wherever there is professional correspondence, there is opportunity for spear phishing. Even where there is casual correspondence, that opportunity exists. To wit, I have seen targeted email campaigns that spoof personal correspondents as senders (scary, huh?). Any broadcast emails that come from a shared or anonymous address will not fit into such a framework. These are common, especially for announcements on contracts from the government (BAA's), mailing lists, etc.

2 The security of the system presupposes that all credentials are secure. If any credentials are compromised, this trust system fails, and phishing is not only possible using the compromised credentials, but it stands to be far more effective as the sender is "trusted." The framework provides a quick and effective response in such situations - revoking the credentials - that isn't available in classic email correspondence, but in the interim all other participants are exposed. To that end, the approach suffers from a painful paradox: the larger the system, the more useful it is and the more participation will grow. But as the system grows larger, the likelihood that some credentials will be compromised at any given time grows with it, putting us right back at square one.

All of this isn't to say that TSCP or similar frameworks are impossibly flawed to the point of being useless. Such systems do raise the bar for adversaries, making some of their approaches less tractable. Expectations should be tempered, however, and investments in them should reflect their true benefits as a real implementation. Users should also realize that strange behavior is strange behavior, even within a trusted framework.

For a long time I have been working on an entry covering identity management more broadly (and philosophically); stay tuned, maybe I'll finish it one day.

No comments:

About Me

I have been employed in various information technology fields since 1997, and in information security since 2001. I have an undergrad degree in Computer Engineering from the University of Dayton, received various industry certifications (GCIA, GREM, GCFA, etc.), and am currently pursuing a MS in Computer Science from George Washington University. I have lectured on various information security topics to IEEE, internal organization-wide IT conferences, and the annual Department of Defense Cybercrime Convention. My international work experience consists of training on general information security topics and IDS design/implementation onsite in Egypt, Israel, and India, as well as providing incident response assistance in the Far East. I have been a contributing editor to incident response procedures for two major organizations, and have been involved in digital forensic investigations since 2001. Currently, my work consists of security-related research and development, covering topics from vulnerability and exploit reverse engineering to implementation of security technologies, as well as digital forensics for an enterprise Computer Incident Response Team.